Newly-enacted data breach laws in 6 states differ from Cal.’s pio...

to notify any affected Cal. resident of breaches. “Personal information” includes full name plus any from among Social Security number (SSN), driver’s license number (DLN), Cal. ID card number, or financial account, credit or debit card number coupled with account access codes. Publicly available information offered by federal, state or local govts. isn’t covered. Ind.’s new statute applies only to state agencies, and Ga.’s only applies to data brokers, like ChoicePoint, that sell information to unaffiliated 3rd parties, the firm said. Ark.’s law: (1) Exempts business from notification if an internal investigation finds no “reasonable likelihood” of harm to customers from the breach. (2) Covers medical information and doesn’t exempt publicly available information, unlike Cal’s. Mont.’s data breach provisions -- part of a broader privacy law -- cover only exposures that “materially” affect personal information or are “reasonably believed to cause loss or injury.” N.D.’s law includes under “personal information” a person’s birth date, mother’s maiden name, employer-assigned ID number and digitized signature. Like Cal.’s, 4 state laws “widely applicable” to businesses -- in Ark., Mont., N.D. and Wash. -- exempt firms with formal customer-notification policies for breaches. None of the laws clearly define how to decide a breach has occurred, the firm said. “The scope or frequency of any notice must be tailored to avoid creating exaggerated consumer fears or undermining investor confidence through unnecessary disclosures of attempted hacks or similar events that do not actually compromise the security of the stored personal information,” the report said: “It is likely that new laws… will make the process for determining when and where to give notice of a security breach more complicated.”